---
- name: Configure shim-based Secure Boot
  vars:
    _efi_vendor: >-
      {{
        "redhat" if os == "rhel"
        else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
      }}
  block:
    - name: Find shim binary in target system
      ansible.builtin.shell:
        cmd: >-
          set -o pipefail &&
          {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
          \( -name 'shimx64.efi.signed.latest' -o -name 'shimx64.efi.dualsigned'
          -o -name 'shimx64.efi.signed' -o -name 'shimx64.efi' \)
          -type f | sort -r | head -1
        executable: /bin/bash
      register: _shim_find_result
      changed_when: false
      failed_when: false

    - name: Copy shim to EFI vendor directory
      when:
        - _shim_find_result.stdout | default('') | length > 0
        - _configuration_platform.grub_install | bool
      ansible.builtin.command: >-
        cp /mnt{{ _shim_find_result.stdout_lines | first }}
        /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
      register: _shim_copy_result
      changed_when: _shim_copy_result.rc == 0

    - name: Verify shim is present
      ansible.builtin.stat:
        path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
      register: _shim_stat

    - name: Report Secure Boot status
      ansible.builtin.debug:
        msg: >-
          Secure Boot (shim): {{
            'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
            if (_shim_stat.stat.exists | default(false))
            else 'shimx64.efi not found, shim package may handle placement on first boot'
          }}